<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#3333FF">
<p>Andreas,</p>
<p> What I listed were very simple examples for understanding the
point. As you said, identifying few applications by looking at
user-agent or some other fields is possible but not all. Some
application signatures may be spread over multiple packets. With
ever increasing technologies and complexities, identifying new
applications may require a dedicated application detection engine
which is updated periodically for newer applications.<br>
</p>
<br>
<div class="moz-cite-prefix">On 20-Jul-16 12:22 PM, Andreas Herz
wrote:<br>
</div>
<blockquote cite="mid:20160720065239.GM23593@ks3360651.kimsufi.com"
type="cite">
<pre wrap="">On 20/07/16 at 12:08, Vishal Kotalwar wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Thanks Andreas for the reply, appreciate it.
what I can tell you is, how I may use this feature (probable use cases) if
implemented.
1) Control or blocking of traffic: Example - I may want to allow
Facebook.com but block the games (say Farmville) or facebook chat
</pre>
</blockquote>
<pre wrap="">
Some of that might be already managed by rules but you will run into
issues nowadays, since more and more services are using HTTPS and we
can't look into encrypted traffic.
</pre>
<blockquote type="cite">
<pre wrap="">2) Statistics: I may want to know how many people are using Chrome browser
in my network, more detailed could be chrome from desktop/laptop and mobile;
next level could be which OS on those devices (e.g. windows, linux, mac,
Blackberry, android, ios etc)
</pre>
</blockquote>
<pre wrap="">
You could check for User-Agent in a rule and also use similiar rules to
detect the OS. I guess that should be possible already with the correct
rules.
</pre>
<blockquote type="cite">
<pre wrap="">3) Rate limit: I may want to rate limit video/audio streaming applications
on my network to free up bandwidth
</pre>
</blockquote>
<pre wrap="">
Well that's not really a task for Suricata, that would fit into other
tools/systems.
</pre>
<blockquote type="cite">
<pre wrap="">On 20-Jul-16 12:41 AM, Andreas Herz wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 19/07/16 at 16:49, Vishal Kotalwar wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi All,
I was going through all the information on suricata through different
websites and articles but could not find any information on application
recognition or classification capability. Does suricata have this feature or
is it in road-map for next releases.
</pre>
</blockquote>
<pre wrap="">There is no dedicated application awareness although this depends on a
ruleset as well.
It is a feature we're looking into, but would need a lot of work.
Do you have some more details about how you would want such a feature?
</pre>
</blockquote>
<pre wrap="">
--
Thanks & Regards,
Vishal V. Kotalwar
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Suricata User Conference November 9-11 in Washington, DC: <a class="moz-txt-link-freetext" href="http://oisfevents.net">http://oisfevents.net</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Thanks & Regards, <br>
Vishal V. Kotalwar</div>
</body>
</html>